How much at risk is the U.S.'s critical infrastructure?

Taylor Armerding |
Jan. 22, 2016

The U.S. intelligence community is well aware that hostile hackers – some from nation states – have gained access to portions of the nation’s critical infrastructure. There is wide agreement that this is not a good thing. But the debate about how big a threat it is rages on.

Mark Gazit, CEO, ThetaRay

“It's not like if we break one, we can go down to the hardware store and get a replacement,” he said.

Of course, even hostile nation states would be unlikely to seek to disable the U.S. in a major way, since it would be seen as an act of war that would trigger a ferocious response, and could also have a major effect on the stability and economy of every other nation in the world, including their own.

There are also assumptions, even if they are not confirmed officially, that if nations like North Korea, China, Russia and Iran have breached ICS facilities in the U.S., the U.S. has penetrated their facilities as well, creating the cyber version of the balance of terror.

Lee and Scott, asked about that, both issued a terse, “no comment.”

But Gazit said he suspects it is true. “History shows that no playing field ever gets too one-sided,” he said. “When one side develops skills, the other side develops skills as well.”

None of those constraints apply, however, to terrorist groups like the Islamic State (commonly called ISIS), which have an apocalyptic view of international relations. They are not seen as a cyber threat now, but could become one.

“Groups like ISIS are mostly using the Internet for recruiting purposes,” said Justin Harvey, CSO at Fidelis Security, “but I don’t think this will always be true. It is only a matter of time before ISIS gets their collective stuff together and starts funding cyber terrorism.”

Fu believes that the best anyone can do in analyzing cyber threats is an educated guess. “The risks are real,” he said. “Everything could be fine for 10 years, but there is no way of giving any meaningful assurance that it will stay that way.

“At what point will an entity like terrorists develop that capability? We don’t know.”

And that gets back to an issue on which most experts agree. Whether the threat level is catastrophic or not, American ICS operators need to improve their security. That means improvements in both technology and the skills of the humans running it.

When it comes to technology, the emphasis should be on detection and rapid response more than on prevention, they said.

“Stop investing so much in prevention technologies and focus on detection platforms that forensically examine network and endpoint metadata for threats,” Harvey said.

Gazit agrees. “Machine-based solutions using advanced algorithms can provide real-time detection, actionable intelligence and uninterrupted response,” he said, “providing the necessary alerts to human beings so they can make the right decision at the right time.”

According to Lee, “the big focus needs to be on the training and empowering of security personnel. The threat is a human adversary and it is foolish to think technology alone will stop a human adversary. To counter flexible and persistent adversaries requires empowered and trained defenders.